docArithmetic in Picard Groups and Application to Pairings 2
download 
Plainte Transcription
Arithmetic in Picard Groups and Application to Pairings 2
Arithmetic in Picard Groups and
Application to Pairings 2
GTEM Workshop on Pairings, IEM Essen
5. Mai 2009
Florian Heß
Technische Universität Berlin
Florian Heß
1
Essen
5. Mai 2009
Motivation
This talk is about fast arithmetic in divisor class groups of algebraic
curves over finite fields for large genus.
What you do not get from this talk:
• Fast arithmetic for low genus curves optimised for use in a
cryptographic system.
Some reasons why to consider this problem:
• General interest
• Useful for index calculus attacks, pairings.
Florian Heß
2– iii
Essen
5. Mai 2009
Previous work
There is a long history of previous work on the theory and on
algorithms for the
• Riemann-Roch problem
• arithmetic in class groups
• algebraic geometric codes
• integration of algebraic functions
• parametrisation of algebraic curves
• ...
Can roughly be divided into
• arithmetic methods (integral closures, ideals, ...)
• geometric methods (Brill-Noether method of adjoints, ...)
Florian Heß
3
Essen
5. Mai 2009
Previous work
Theory:
• Brill and Noether (1874, 1884),
• Dedekind and Weber (1882), F. K. Schmidt (1931).
Geometric and arithmetic algorithms for divisor
class groups for g → ∞:
hyperell. divclgrp
O(g2)
RR problem + divclgrp for
general plane curves
O(n6h(D)6)
1994
Volcheck
divclgrp for g. p. curves O(max{n, g}7)
1998 Galbraith, Paulus, divclgrp for superell. curves
O(n4g4)
Smart
1999
Arita
divclgrp for Ca,b curves
O(g3)
1987
1993
Florian Heß
Cantor
Huang, Ierardi
4– iv
Essen
5. Mai 2009
Previous work
Geometric and arithmetic algorithms for divisor
class groups for g → ∞ (ctd):
RR problem and divclgrp
O(g2)
for general curves
for fixed n
2001 Khuri-Makdisi divclgrp for general curves O∼(g3)
2004
with precomputation
1999
Hess
This and next slide n = min{[F : k(x)] | x ∈ F separating }.
Florian Heß
5
Essen
5. Mai 2009
Discussion
KM result:
• Links complexity of divclgrp to complexity of linear algebra
over k in dimension O∼(g).
• Probably optimal in the general case (n ' g/2).
• Fast linear algebra O∼(gω) with ω = 2.376.
H result:
• Links complexity of divclgrp to complexity of polynomial arithmetic
over k in degree O(g).
• Probably optimal under the assumption n = O(1).
• Fast polynomial arithmetic O∼(g).
This talk: Combine both running time characteristics
towards O∼(gnω−1) with n = O(g).
Florian Heß
6– iv
Essen
5. Mai 2009
Divisor and ideal class groups
Let
• x ∈ F be separating with (x)∞ = nP and deg(P) = 1,
• R = Cl(k[x], F).
• n = O(g).
Then
• R is a Dedekind domain.
• Ideals I 6= {0} of R are free k[x]-modules of rank n and form a
multiplicative monoid with cancellation law.
• Pic(R) = ( group of fractional ideals )/( group of principal ideals ).
• Pic(R) ∼
= Pic0(F).
Florian Heß
7– iii
Essen
5. Mai 2009
Arithmetic in the ideal class group
Represent ideal classes [I] by integral ideals I of small degree“.
”
Basic ideal operations for integral ideals I, J:
• Simple multiplication: Compute zI for z ∈ J.
• Integral division: Compute I/J for J | I.
Degree reduction:
• Rz/I has small degree if z ∈ I has degree close to that of I.
• Do not neccessarily get unique reduction ... but yields bounded
representation for I −1 and I.
When writing z ∈ I we always mean to pick z of degree
close to that of I.
Florian Heß
8– iv
Essen
5. Mai 2009
Arithmetic in the ideal class group
Arithmetic operations for [I], [J] ∈ Pic(R):
• Division: [I][J]−1 = [(zI)/J] for z ∈ J.
• Inversion: Use division with [I] = [R].
• Multiplication: Use division and inversion.
Equality test for [I], [J] ∈ Pic(R):
• Let [K] = [I][J]−1.
• Then [I] = [J] iff K = Rz for some z ∈ K of smallest degree.
Use linear algebra over k[x]!
Florian Heß
9– iv
Essen
5. Mai 2009
Bases, matrices and degree function
Integral basis ω1, . . . , ωn ∈ R of R:
• ∀z ∈ R : ∃ unique λi ∈ k[x] such that z = ∑i λiωi.
• Multiplication table λi, j,ν ∈ k[x]: ωiω j = ∑ν λi, j,νων.
Ideal basis αi ∈ I of ideal I:
• ∀z ∈ I : ∃ unique λi ∈ k[x] such that z = ∑i λiαi.
• Basis matrix MI ∈ k[x]n×n: (α1, . . . , αn) = (ω1, . . . , ωn)MI .
Principal ideal I:
• I = Rz for some z ∈ I.
• Representation matrix Mz ∈ k[x]n×n: (zω1, . . . , zωn) = (ω1, . . . , ωn)Mz.
Degree function:
• deg∗(z) = −vP(z) for z ∈ R, deg∗(I) = deg(det(MI )).
• Have deg∗(z) = deg∗(Rz), deg∗(x) = n.
Florian Heß
10– v
Essen
5. Mai 2009
Bounded representations
Fix ω1, . . . , ωn with successively smallest deg∗-values and let d = g/n.
Theorem:
1. There is a basis αi of I with deg∗(αi) ≤ deg∗(I) + 2g for all i.
There is α j with deg∗(α j ) ≤ deg∗(I) + g.
2. Elements of Pic(R) can be represented by I with deg∗(I) ≤ g.
3. deg(λi, j,ν)) ≤ 4d.
4. deg∗(∑i λiωi) ≤ w ⇒ deg(λi) ≤ w/n for all i.
5. deg∗(I) ≤ w ⇒ there is a basis matrix MI with deg(MI ) ≤ w/n.
Represent elements of Pic(R) by integral ideals of degree ≤ g with
n × n basis matrices of degree ≤ 3d.
Florian Heß
11– viii
Essen
5. Mai 2009
Linear algebra over polynomial rings
References: Storjohann, Villard, ...
Matrix multiplication in dimension n and degree d:
• Time O(d 2n3).
Degree reduction (function field LLL, weak Popov form):
• Let M = (v1, . . . , vm) ∈ k[x]n×m, r be the rank of M,
d = deg(M) = maxi deg(vi) the maximum polynomial degree in M.
• M is reduced iff deg(∑i λivi) = maxi deg(λivi) for all λi ∈ k[x].
• M can be transformed into reduced matrix by unimodular column
operations in time O(d 2nmr).
Kernel of M:
• Assume M has a basis matrix K for the k[x]-column kernel with
deg(K) ≤ d and that m ≥ n.
• Then such a K can be computed in time O(d 2m3).
Florian Heß
12– iv
Essen
5. Mai 2009
Simple multiplication
Compute zI for z ∈ R with deg∗(z) = O(g) and I integral
ideal with deg∗(I) = O(g).
Algorithm:
• Compute representation matrix Mz of z wrt ωi.
If z = ∑i µiωi then zω j = ∑ν(∑i µiλi, j,ν)ων.
• Multiply Mz and basis matrix of I to obtain a basis matrix of zI.
Note deg∗(zI) = deg∗(z) + deg∗(I).
Each step requires time O(d 2n3).
Florian Heß
13– iii
Essen
5. Mai 2009
Integral division
Let I, J with I | J and deg∗(J) = O(g). Compute JI −1 = {z ∈ R | zI ⊆ J}.
• Let I = ∑hj=1 Rβ j and MJ be the basis matrix of J.
• For z = ∑i λiωi and λ = (λ1, . . . , λn)t ∈ k[x]n:
λ
Mβ1 MJ
v1
−1
n .
.
. = 0.
..
.
z ∈ JI ⇔ ∃vi ∈ k[x] :
.
MJ
Mβh
vh
Algorithm:
• Compute basis of kernel of big matrix, has rank n and degree O(d).
• Top n × n matrix yields basis matrix of JI −1.
Required time O(d 2(hn)3).
Florian Heß
14– v
Essen
5. Mai 2009
Ideal basis reduction
Ideal basis reduction for I with deg∗(I) = O(g):
• Let di = ⌈deg∗(ωi)/n⌉. Then di = O(d).
• Let MI be a basis matrix of I with deg(MI ) = O(d).
Algorithm:
• Multiply the i-th row of MI by xdi for all i
• Apply the reduction algorithm.
• Divide the i-th row of the result by xdi for all i.
• Denote the result by MI .
The basis elements αi then satisfy deg∗(αi) ≤ deg∗(I) + 2g
and there is α j with deg∗(α j ) ≤ deg∗(I) + g.
Required time O(d 2n3).
Florian Heß
15– iv
Essen
5. Mai 2009
Degree reduction
Degree reduction I with deg∗(I) = O(g):
• Let MI be a basis matrix of I with deg(MI ) = O(d).
Algorithm:
• Apply ideal basis reduction to I, yields new basis matrix Mi.
• Let z = α j with deg∗(α j ) ≤ deg∗(I) + g.
• Apply simple multiplication and integral division to obtain Rz/I.
The ideal Rz/I satisfies deg∗(Rz/I) ≤ g. Apply procedure twice to
reduce I.
Required time O(d 2n3).
Florian Heß
16– iv
Essen
5. Mai 2009
Principal ideal test
Principal ideal test for I with deg∗(I) = O(g):
• deg∗(z) ≥ deg∗(I) for all z ∈ I,
• I = Rz iff z ∈ I and deg∗(z) = deg∗(I).
• Let αi be a reduced ideal basis.
• The ideal basis reduction also yields integers e1 ≤ · · · ≤ en with
L (I, r) = {z ∈ I | deg∗(z) ≤ rn} = {∑i λiαi | deg(λi) ≤ −ei + r} for all r ∈ Z.
• If z ∈ R such that deg∗(zI) = rn, then zI principal iff L (zI, r) 6= 0.
Algorithm:
• Compute z ∈ R such that deg∗(zI) = rn and deg∗(z) = O(g).
(Precomputation for all possible degrees of I).
• Using ideal basis reduction on zI check L (zI, r) 6= 0.
Required time O(d 2n3).
Florian Heß
17– iv
Essen
5. Mai 2009
Ideal generating sets
Time for integral division is O(d 2(hn)3).
Let I be an ideal with deg∗(I) = O(g) and reduced basis αi.
Let h = max{logq(g), 2}.
Proposition (KM):
• A random choice of h elements β j of ∑ni=1 kαi is a generating
system for I with probability ≥ 1/2.
Algorithm for integral division:
• Choose h random such β j (for n = O(1) we can take the αi).
• Compute reduced basis of J/ ∑ j Rβ j .
• If deg∗(J/ ∑ j Rβ j ) 6= deg∗(J) − deg∗(I) then repeat.
Required expected time O∼(d 2n3).
Florian Heß
18– iii
Essen
5. Mai 2009
Multiplication table speed up
Time for representation matrix computation O(d 2n3).
Use FFT inspired/based technique:
• Work in R/RxO(d), can lift elements of small degree back to R.
• Assume there is y ∈ R such that gcd((R : k[x, y]), x) = 1.
• Then R/xd ∼
= k[x, y]/xd , are free k[x]/xd -modules.
• Isomorphism evaluated by multiplication of unimodular n × n
matrix of degree ≤ d.
• Multiplication in k[x, y]/xd in time O(d 2n2) or O∼(dn).
Florian Heß
19– ii
Essen
5. Mai 2009
Pairing computation
Need to evaluate the functions z ∈ R occuring in simple multiplication
and principal ideal test:
• Compute norm of z in R/J over k.
• If zero then choose different equivalent J.
• No inversions necessary.
• Maybe can use J for FFT inspired technique simultaneously
(counted before as precomputation).
• O(log2(r)) evaluations in total.
Runtime not evaluated yet ...
Florian Heß
20
Essen
5. Mai 2009
Conclusion
The overall running time for arithmetic in Pic0(F) is
O∼(d 2n3) = O∼(g2n)
where dn = g.
• For d = O(1) we obtain O∼(g3) (KM).
• For n = O(1) we obtain O(g2) (H).
• For Ca,b curves we obtain O∼(g5/2).
The running time linkable to linear algebra over polynomial rings
with nd = g, should result in O∼(dnω) = O∼(gnω−1).
An n = O(1) and time O(g2) or O∼(g) implementation is available in
the computer algebra systems Kash and Magma.
Pairings should be similar ... runtime O∼(log2(r)gnω−1).
Florian Heß
21– v
Essen
5. Mai 2009
